SparkFun gets a Subpoena for all orders; says nah

It’s no secret that we’re fans of open source, and open hardware. And we have to applaud companies like SparkFun who also keep their customers in the loop about what’s going on with the business end of the company. For instance, they were recently contacted by a Sheriff’s office and asked for customer information and are sharing the story. One of their products had been used in a series of credit card skimmers and the officers wanted to get purchase information to track down the bad guys. SparkFun doesn’t just give out customer data and so was subsequently served with a subpoena.

The thing is, the document asks for all customer orders shipped to Georgia during a six month period. This seemed like it covered way too many orders, since the majority of them didn’t include the part in question. But the officials were willing to work with the company and narrowed the request to just the 20 or so orders that had the item in them.

It’s an interesting read, and we agree with SparkFun’s point about white hats and black hats. Often when posting about projects here we wonder about the potential to use the knowledge for no-good. But restricting the availability of knowledge (or hardware in this case) because of a few bad-actors is a concept we oppose. It’s like being a hacking super hero, with great skill comes great responsibility.

82 thoughts on “SparkFun gets a Subpoena for all orders; says nah”

I was thinking the same thing. Do they really think this guy got his equipment that recently? It would probably take me at LEAST a couple months to build a credit card skimmer in a concealable fashion.

I’m sort of stunned to hear that SparkFun was upset about turning over customer details, in response to a subpoena, regarding items which had been purchased from SparkFun and had ended up in credit card skimmers — it’s one thing to respond to an overbroad subpoena with a request to narrow it down, and quite another to scruple over turning over evidence of a crime. (And “OMG I AM IN A POLICE DATABASE NOW OMG BIG BROTHER” is kind of stupid, too — have you got a driver’s license? a state ID? a home address? Then you’re “in a police database”. Deal.)

Learning that SparkFun isn’t real comfortable about the thought of complying with the law doesn’t make me real comfortable about the thought of doing business with SparkFun. Unfashionable, I know, but true all the same, and I doubt I’m the only one.

Sounds to me like they were perfectly willing to hand over the relevant information — customer and order details for the orders that contained the PART in question; what they didn’t want to do was hand over all orders in that state that had nothing to do with the device found.

Why should it make you uncomfortable that SparkFun is protecting your privacy? as the article stated, “A subpoena is public record once the case is closed.” the subpoena was requesting far more information than the police need for their investigation and could infringe on quite a few peoples privacy. also the article states that they did work with the police in a reasonable fashion, without sending 6 months of transaction history.

I think you may have misread the article, sparkfun didn’t object to the subpoena itself but to the inappropriate volume of infomation they were requesting, much of which was irrelevant to the investigation.

If you’d read the comments below the story, they very much objected to supplying any information at all, but given lack of time and legal resources decided this was a better option than risk the police returning with a search warranty.

Sorry dude but you are quite the idiot IMO, and quite alone I hope in your thoughts, like a serial killer or something.

And while you brought it up, I think they really should also not be allowed to subpoena the info about ‘items that can be used in skimmers’, since that in itself is insane since most anything an be used for a crime and allowing such means the barrier between a police state and sanity has been dropped another notch, assuming there are any notches left of course.

Eric – I have no problem with them working with the sherriff’s office to narrow the scope of the request. What bugs me is that they had such a big problem with fulfilling even the narrowed request.

“Data privacy hawk”, okay whatever, but when your principles mean so much to you that you’d rather break the law than assist in catching a gang of thieves who’ve been stealing innocent people’s credit card info and likely fucking up their lives with it, that’s where I start to have a problem.

Different perspective, different morality, that’s all, along with a lack of the hippie’s ingrained hatred of authority. To most progressives this makes me Satan, but then, most progressives aren’t particularly bright in the first place and I don’t know why I would expect them generally to comprehend the difference.

Devin – Because I’m a grownup, sweetie, and as such I understand that having laws and police to enforce them is far preferable to buying big mean dogs and sitting up all night with a shotgun. Don’t worry if it’s all over your head right now; you’ll understand when you’re older.

Just because you are a ‘grownup’ doesn’t mean you are wise. In fact, people of all age groups have varying backgrounds of intelligence and wisdom.

Hypothetically, I am even more ‘grownup’ than you (prove me wrong), and when YOU get older, you’ll realize the police don’t have a right to know everything about everyone at all times of day. You know what? Because the police abuse their power many times. When you get older, you’ll learn this. In order to keep the system of checks and balances going, you need to restrain the power the police has over what they are allowed to do, and the way of doing that is by keeping your private information exactly that, private. People that did not order the specified part had to reason to be part of an investigation. Also, some ‘hu hu hurr hurr’ counter argument, is being presented here for your convenience. “Hu hu, hurr, freedom, hur hur dee dur.”

dext3r, honey, did you read what I wrote before you started your response? Sparkfun’s initial response to the subpoena doesn’t bother me. Sparkfun’s representative vaporing over compliance with even the reduced scope bothers me. Laws, believe it or don’t, exist for a reason. I don’t assume I’m smarter than every legislator in human history, so, by default, I assume that, as with most traditions, most laws exist for a good reason, even if that reason isn’t immediately obvious.

(I realize this sounds abhorrent to progressives, who share with other Protestants both a fervid zeal to bring about the earthly Kingdom of God, and the barely veiled conviction that the world contains one legitimate faith and a million million heresies. Try to wrap your head around it for the sake of argument, though.)

The point of all this is to explain that, where you say “People that did not order the specified part had to reason to be part of an investigation.” — that isn’t a response to the point I’m actually making.

If you’re getting the impression that I have perfect faith in the police, then you really do need to go back and re-read, because you’re missing what I’m saying: laws and police, while far from perfect, are still far preferable to the alternative, which in effect reduces to rule by the biggest, nastiest bastard of them all.

This is something a lot of progressives really don’t seem to understand, and I’m not sure why; the only plausible reason I’ve been able to come up with is that, never having lived outside the protection of the nomos, they really have no idea what they want to let us all in for — “the grass is always greener”, &c.

Consider this hypothetical problem from philosophy: a train is heading down the track towards a large group of people, and will definitely kill them unless someone pulls a lever, which will redirect the train towards a smaller group of people. Now, pulling the lever is probably the best thing that can be done, but the person who pulled the lever can, understandably, still regret their role in the situation. After all, it was their decision which harmed completely innocent people for no reason than they were in a less numerous group than another.

The situation is similar, even if we are dealing with rights of privacy rather than life and limb. Sparkfun decided that the best decision was to hand over the limited set of information, but regret that this represents a punishment of sorts for innocent people.

I don’t understand why you have a problem with them expressing this regret. Sparkfun’s blog was not calling for anarchism or or progressivism or libertarianism or any other -ism; they are simply explaining that some customers had their information leaked and expressing regret of their involvement. After all, in the train scenario, we don’t want to hear the person who pulled the lever that ended up killing someone we loved crowing about their heroism in saving the other group of people.

Loss of privacy isn’t death, but it is a thing: there must be some reason you only use your first name, for example.

(You keep calling people “progressives” as if this were a word of terrible scorn. Whatever your issues are with progressives, this might not be the place to work that out. No one here has claimed the term in this discussion, and by using it you may only be creating enemies where you could have had allies, or at least more receptive readers.)

So your complaint is that they … still turned over info to the law? I mean, your major argument is that they took a second to think about it? In the end, the DID comply, so what exactly is your problem? The law got exactly what they needed and SparkFun protected customers that had nothing to do with this issue.
Please read the response from Chris below, someone who was actually directly involved with the situation. (If he is telling the truth.)
His opinion on the situation matters much more than yours, some armchair legal jockey who is whining that SparkFun took a second to evaluate the situation rather than blindly following the misguided orders of the police. Chris’ response is very reasonable and understandable, and basically makes a non-issue out of the whole thing. Which at this point, it is. It is a non-issue. For you to be upset, that you FEEL SparkFun is somehow snubbing their nose at authority for whatever reason, is asinine.

Also, why do you keep bringing up progressives and now Kingdom of God? I don’t know where you are coming up with this stuff. Afraid the progressive boogey-men are coming to get you?

I re-read the original article several times. The only place I saw where SparkFun had a problem is with the overly-broad request, which I am glad they did object.

Then they worked with LE to narrow down the request to something that was actually reasonable. I cannot find any place where they objected to a reasonable request of the 20 or so *relevant* customers.

In addition to guarding the private information of 100’s of customers to a fishing expedition, they *saved* many hours of tax-funded police time by narrowing down the information the police had to go thru.

Personally, this makes me want more to be a SparkFun customer. They showed good judgement and complied with the law in a responsible manner.

Please quote from the original post the text where they objected to the cut-down reasonable request.

“your principles mean so much to you that you’d rather break the law than assist in catching a gang of thieves”

Interesting reframing, which informe me more about you than about Sparkfun.

It is not against the law to contest an overly broad subpoena and negotiate something narrower (you agree with that not being illegal). Nor is it against the law to verbally complain – while complying – if you think even the narrowed scope is inappropriate (I assume this is the law breaking part you refer to).

Seems to me the only laws they could be accused of would be “thought crimes” for daring to dissent verbally, even while complying physically.

Even if they had hired a lawyer to contest the (narrowed) subpoena in court, that would not be breaking the law – that would be working within the legal system as it was designed to work, in balancing mixed objectives like privacy and law enforcement.

Seems to me that your interpretation and reframing is more about your prejudices against your mental image of hippies and progressives getting triggered into overdrive and obscuring your objective description of the situation.

Village Idiot is anything but – nice enlightenment about the carefully crafted distinction among instruments of the legal system for those interested in a more nuanced view than “if the police want something, they must automatically be in the right legally and anybody who objects must be a (aspiring if not actual) law breaker”.

I would rarely advocate breaking the law and not without sufficient reason (I’m a pretty law abiding citizen really); but I also don’t turn off my objectivity and intellect and cede my *legal* rights as a citizen just because the words “law enforcement” have been used. Sparkfun made some compromise which was within their civil and legal rights (including their commentary on same).

I assume you never complain about taxes either (even while paying them), as that might be a similar thought crime.

There’s no bad guys in this story, other than the ones who skimmed the credit cards. The judge probably didn’t realize how many orders Sparkfun sends to a given state in six months. Sparkfun said, hey, that’s rather a lot of user data, can we just send the info related to the device that was misused? Then the judge said, oh, sure, that makes sense.

I’m not sure why this makes Sparkfun bad in your book. They did their best to support both the rights of their customers and the people who were getting their credit cards skimmed. It’s always hard to draw a line between potentially conflicting interests, but they worked with the judge on it and in this case were able to reach a reasonable compromise.

— and then complained about having to comply with the law and turn over any information whatsoever, which is what bothers me. I don’t think I’d have that easy a time being upset over helping catch a skimmer gang.

I dunno. There’s this real strain of resentment and contempt of authority in this whole thing, which is something I don’t understand when it comes from people who are well-to-do and generally law-abiding, and who therefore have no particular reason to fear the police.

(Before you dribble out “sure the innocent have nothing to fear hur hur” and think you’ve made a point in so doing: Yeah, the cops fuck up sometimes, and once you’re in the “justice” system, you’re likely to get worked over pretty badly whether you’re innocent or otherwise. None of this is good, but it still beats the shit out of anarchy; I’d rather a few innocent people get worked through the gears once in a while, which is what we have now, than all of us all the time, which is what idiot children don’t realize “anarchy” actually means.)

Aaron, you are right that privileged people are rarely the targets of the justice system. Please consider that those people who are expressing fear of the justice system may not be as privileged as they appear to be at first.

At no point in the subpoena stated that Sparkfun was the only place that these items could have been purchased from. As a matter of fact, there’s almost nothing to indicate that these credit card skimmers are related to Sparkfun:

It appears that the law enforcement agents are now going to harass 20 or so people that happened to purchase components that could be used in said crime — despite knowing that any of these products could have come from anywhere.

IANAL, but there seems to be some sloppiness on the government’s side here. As a customer of sparkfun, I appreciate that they are honoring their privacy policy to protect me. If “the law” doesn’t follow proper due process, then it isn’t acting in accordance with *the law*. And there’s no telling what sort of “justice” will end up being served with such sloppiness. In this case sparkfun went above beyond what they were required to do to help the government.

BTW, who do you think paid for the effort to get these names? I’ll guarantee you it wasn’t the government. Ultimately, the customers will have to pay for it in costs passed to them. In this case, with having to get a lawyer, those costs were no doubt increased substantially because of the government’s sloppiness.

All well and good if you welcome such inquiries, but since I know a little bit about the law and the enforcement of it combined with the fact that court material is PUBLIC RECORD,I do not wish just anybody having access to my credit card information. They don’t need to list my credit card number with name and address associated with it. They would be aiding criminal mischief themselves. Don’t rely on it remaining out of the public’s hands either. How many times have you heard of “mistakes” being made by government?

Excellent reason to use cash to purchase used equipment anonymously. BTW, what are the requirements for a business to retain this information in the first place? What if they had deleted it prior to the subpoena?

Hats off to Sparkfun for their resistance and transparency in the issue. However, knowing they keep this information forever means I probably won’t order from them using real information.

Sparkfun is business. It’s common practice to hold your customer’s information. Common reasons are:
1. Customer wants to see their order history and review data.
2. Have data if a customer wants to dispute something they bought.
3. Tracking of their internal processes.
4. Understanding how their business works and how their customers operate and buy items.
5. Understand the demographic of their customers.

I’m sure there are tons of other reasons too. If you want to remain hidden, then don’t purchase items from stores. Even when you buy in cash, chances are you’re being recorded on a surveillance system somewhere.

If you want to not be part of the system then you need to scavenge parts from other equipment. Build it with out looking up tutorials online or buying books. And don’t do anything illegal!

There’s storing some relevant info for some time, and there;s storing all you can for forever.
And then there’s asking people if they want their account info to be stored longer for instance, supplying a setting.

I’m rethinking my position on this. From Sparkfun’s position, they don’t expect to be part of a situation like this. There are lots of reasons to retain customer information. In a case like this it is really awful to be one of the 19 people who did nothing wrong.

Spark fun did push back though. The police wanted everyone’s information. Instead spark fun said no. We’ll give you the information pertinent to your investigation.
If 20 people had bought parts that matched the device then those 20 people are pertinent to the investigation.

Yes it sucks to be one of those 20 people but it’s not like sparkfun rolled over.

I’m re-thinking my position here slightly. I mean yes. If I was one of those 19 people who didn’t do anything wrong I would be annoyed. Maybe Sparkfun should have waited for a warrant. But then who knows what data and information would be taken.

In the kindest possible way — RTFA, and the comments after. They sent name, address, order, and shipping method. And they only sent the ones who ordered the offending part, minimizing exposure while complying with the spirit of the subpoena.

Did you read the article before replying? How about the comments, where Sparkfun elaborates on what went down? They sent Name, address, order, and shipping method. No CC details. And rather than take the easy way out and just comply with the letter of the subpoena, they took steps to minimize the data exposure without impeding the investigation. Someone else said it already — the only bad guys in this are the criminals. Spark Fun did right by it’s customers and the victims of the crime.

If you read the article (and comment section), you’ll find that SparkFun refused to give out Credit Card information, and that they don’t store CC information in their system to begin with! They did everything right in this case.

k suppose the govt sends alice a supoena, mallory intercepts this email through some fault somewhere along the line (wifi sniffing, compromise of the pop or worse the govt’s smtp, or the isp…anywhere along the line) she reads the line and insteads sends a message to the govt saying in essence “go fuck yourself”

A subpoena is like a warrant for information. It is the court demanding information. If you really want a warrant, I guess you could wait on the subpoena and then get a warrant for contempt of court, but then you go to jail and they get the information anyway.

If you RFTA you’ll see they explain that if the subpoena were refused, law enforcement could go get a warrant and compel disclosure.

A subpoena is not a “warrant for information” – it’s a step below a warrant that’s much easier for cops to use. Also consider that witnesses are routinely subpoenaed to appear in court, and they are certainly not “information”.

Notice that ALL ORDERS were demanded in the sepona rather than merely those involving parts used by the credit card skimmers. This is a perfect example of the vast overreaching of government influence that threatens our freedoms every day. These are the same maniacs that have pased the NDAA, tried to slip through SOPA, and have now hit us with CISPA in the name of “security” or “defending intellectual property”. Those who trade liberty for security deserve NEITHER–and THAT is why Sparkfun is to be applauded. To the one who went on about “scroupling over turning over evidence to a crime”, I would remind you that history is replete with parallels. Every police state began with this kind of creeping overreaching of power, the silencing of dissent, and the stripping away of freedoms. Notice how the government flips out every time somebody manages to build something they thought only NASA or the military could. Notice how the now infamous Iranian used car salesman/drug addict from Texas was accused of turning remote controlled hobby airplaines into drones for the purpose of assassinating the Saudi ambassader to the US. When I heard that on the news I was on HACKADAY reading a post about a guy that built a pulsejet engine. This happened right before the government started selling military drones to local law enforcement. As in… weaponized drones. Is that not evidence of a police state? Create a false flag to justify deployment of military weapons on our own soil? How about the CIA’s admission earlier this year that our own appliances were outfitted with tech to spy on us, effectively creating an “internet of things”, or that the new “smart meters” can be used to hack home security systems–something that was outlined on HACKADAY. I for one will be shopping at Sparkfun from now on. We either stick our heads in the sand or back away when the government pulls this crap and we WILL wake up in a police state where the tinkering we celebrate here will wake up one day to find that we’ve suddenly been made criminals.

Notice that ALL ORDERS were demanded in the sepona rather than merely those involving parts used by the credit card skimmers. This is a perfect example of the vast overreaching of government influence that threatens our freedoms every day.

Or, as is far more likely, they just didn’t think of doing that which is why they were just as happy when Sparkfun suggested that alternative. But that’s less fun than overreacting paranoia.

Nice job blaming gov’t for the ills that people in general do. There was no over-reaching if you’d stopped and thought about it, it was just a generalized and broad request for information. Most likely, the form they were sent was a template for a subpoena and they just types in a few dates and the item for request. You people that blame the gov’t for problems that individuals caused need to get a clue.

So peoples private information should be put at risk because the desk jockey at {insert gov’t building here} can’t be bothered to correctly fill out a form? Oh, yes, me so sorry. They don’t have to take any responsibility for their actions. I forgot. They’re the gov’t.

Exhibit A, folks, for why voting should be a felony. How comfortable are you with being ruled by people who get their political theories from something that’s recognized as crap even by the rather low standards of television sci-fi?

All I can say is at least theyre not going after sparkfun for supplying the parts. That, on the other hand, would be like going after ubuntu for some kids using aircrack on wifi.
+1 for getting the terms reworked. If you were one of the people who had their info turned over, you have nothing to worry about if you did nothing wrong ;)

I’m one of those who’s information was handed over to the authorities. I live here in Georgia where the criminals were working. I’m glad that the police are working to track down and prosecute the idiots who are trying to steal my credit card numbers. I feel MUCH better using SparkFun knowing how they handled the situation. I have nothing to hide, but I also highly value my privacy. I don’t blame SparkFun for the release of my information, but the real criminals who are trying to steal my credit card information. I applaud SparkFun for both trying to protect my privacy by not just blindly handing everything over. This also shows that the prosecutors are reasonable and human. They asked for too much, but when pointed out, were reasonable enough to re-examine their request.

Chris, Please provide us with your full name, addresss and credit card number along with all of your sparkfun ordering history. Any additional proof of your claims would be appreciated too. Thanks so much! :)

All IMO of course;
SparkFun should be appreciated for not taking the easy road by not participating in the Law Enforcement dragnet, and LE criticized for attempt of a dragnet.. have a reasonable resemblance to law and order the public has to work with law enforcement when it comes to providing pertinent evidence, but LE should keep the scope of a subpena to the case at hand. I suppose it’s ultimately the responsibility of the public to keep LE excess in check, but it isn’t unreasonable to expect LE to use good judgement. No doubt SparkFun’s legal counsel OK the posting of the document, but what was redacted seems silly. The names redacted are easy to discover, what I assume is an investigator identifier is the redaction that makes sense. Now I suppose that the crooks know to remove extraneous information from the parts they use

FOOLS! Sparkfun did NOT ignore the subpoena, they ignored the initial request for them to freely provide customer information. You CANNOT ignore a subpoena or you will be held in contempt of court and fined/jailed. The original request was for customer records because CARD READERS with the Sparkfun logo were seized in Georgia linked to scamming/fraud/identity theft. I APPLAUD Sparkfun for upholding customer privacy by rejecting the initial request, but I assure you, said documents were turned over upon receipt of the subpoena, unless the Sparkfun legal team had the subpoena overturned, but they made no mention of such an event.

The lesson here, is that if people wouldn’t use Sparkfun products to steal from other people, Sparkfun would never EVER release customer info!

A successful credit card skimming ring is going to be smart enough to not link themselves to the crime so obviously. A whole lot of people are going to have a bad day with the cops and they will probably subpoena other date ranges when they come up short.

Just a note: subpoena’s aren’t warrants and have different rules. Subpoena requests never are seen by a judge, they are approved by the county clerk. These are usually rubber stamped without oversight or much recourse. As far as legal righteousness its similar to restraining orders, entirely one sided. One person says they are afraid, then BAM someone gets a legally binding document in the mail without any say in the matter outside of counsel and suit.

For those commenting about how Sparkfun breached their privacy by giving up information too easily, think about this: Sparkfun DIDN’T NEED TO DIVULGE INFORMATION ABOUT THE SUBPOENA TO THE GENERAL PUBLIC, but they did anyway.

I think this shows a remarkable level of transparency between Sparkfun and their customers, and their commitment to both customer privacy / rights as well as a (properly worded) court order.

Sparkfun is not taking their lumps because they’re happy they got a subpoena, they’re choosing to do the right thing and let their customers know that some (selected) data is now in a government database.

My only thought was; Hey, I live in Georgia not too far from Coweta Co. Believe me, they are some of the worst drivers in Georgia; I85 is 65-70 MPH and most of them do 10-20 mph over that. Next time you’re driving from Atlanta to Montgomery; check the license plate of those that pass you.

i thought all you needed to build one of those was some standard household discarded 20 year old everyday electronics, of which a list need NOT be posted here in order to convey the point lol
(plus avr/pic/other and solder and bare board and wires…)

PS: i agree with most of the posters here;
judges dont realize just how many people would be shopping online for bare internal electronics parts like from a store such as sparkfun. os they “assumed” andor “suspected” that the whole transistors and LEDs were a cover for creditcard skimmer parts… which in itself is not illegal, but giving directions on how to skim when also selling said parts is a very serious crime…

television documentarys have taught me that people actually openly sell such device parts THEN VOICECALL THE CUSTOMER THE DIRECTIONS AND EMAIL THE SOFTWARE TO ACTUALLY ***_USE_*** THE DEVICES FOR ILLEGAL FRAUD / THEFT.

PPS: its like the difference between selling PVC pipe by the foot (perfectly fine) and selling a kit to build a bbgun/spudgun(potatogun) IN or TO a state where building such without a license… blah blah blah

i say way to go sparkfun, what irks me the most are all the people who act like any resistance to the authorities is bad; the whole “what do you care if they invade your privacy if you have nothing to hide?” attitude is about as unamerican as you can get, but you dont have to take my word for it:

The biggest problem with this situation I think is that if you were one of the 19 to buy the same part(s) as the ‘bad guy’ then your details will probably be put into some sort of suspect database which I would assume is very difficult/impossible to remove from.

Well its not unexpected, allegedly they found PIC microcontrollers in at least one undetonated IED but you don’t see Microchip getting subpoenad because the parts are also available on Greedbay and a dozen other non traceable sources.
Same with 555 timers, cheap R/C cars and other commonplace items and chemicals.

Rumour has it that at least one terrorist group was discovered using Bluetooth headsets with the ranges extended as communications and control systems..

What particular part was it, anyway? I would assume it is some sort of card reader. However, I think it would be pretty easy to get hold of a reader. I even remember reading about someone using a cassette reader head to read cards. Also, how did they connect the criminal activity to SparkFun?

Are you also going to advocate throwing out the rest of the bill of rights along with the IV amendment? There is a difference between a subpoena and a court order. Court orders are issued by a court (as the name suggests)and MUST be complied with on penalty of contempt of court. A subpoena is a court process document produced by litigators and if for the production of certain specific documents is called a subpoena duces tecum. It is NOT an order of the court but (as has been suggested here) a fishing expedition by the litigator. The court will not order an action unless it is based on probable cause that a violation has occurred, that there is evidence available as to the nature and circumstances of the violation, and there is a greater chance that the evidence sought bears directly on the allegations than not. This means that it is the duty and responsibility of the court to weigh the evidence requested against the rights of the person(s) to be secure in their persons or papers. In other words, the court is the one to decide if the law enforcement agency or litigator is acting within due bounds of the law. Like in indicted v. convicted – it is believed v. proven.